Recent answers to some https sites displaying message "you have requested an encrypted page which contains some unencrypted informationhttps://support.mozilla.org/en-US/questions/9395252013-02-15T12:55:34-08:00In searching further about this, some users have zeroed in on how the return to your site is configu2013-02-15T12:55:34-08:00jscher2000https://support.mozilla.org/en-US/questions/939525?page=2#answer-408260

In searching further about this, some users have zeroed in on how the return to your site is configured. Based on what I have read, the secure-to-insecure warning arises when you have set one of the HTML variables (rm, for Return Method) to get the payment variables returned to your site using a POST. It apparently does not arise if you have rm set to use a GET.

Since you want the payment variables, you probably have this in your form that submits the transaction to PayPal:

&amp;lt;input type="hidden" name="rm" value="2"&amp;gt;

I still don't understand why the PayPal page includes both the POST form described in the documentation AND the 5-second meta refresh that ends up kicking in before you can OK the dialog. I find it hard to believe that was intentional; maybe there's a bug in the sandbox?

0 - "all shopping cart payments use the GET method" (default)
1 - "the buyer's browser is redirected to the return URL by using the GET method, but no payment variables are included"
2 - "the buyer's browser is redirected to the return URL by using the POST method, and all payment variables are included"

Auto-return seems to always use a GET, so people reporting this has solved the problem must not miss getting the variables.

OK, I'll see if I can distill this conversation down and do that.
Thanks for your effort in trying t2013-02-15T12:07:02-08:00jodyCoolnesshttps://support.mozilla.org/en-US/questions/939525?page=2#answer-408249

OK, I'll see if I can distill this conversation down and do that.

Thanks for your effort in trying to understand the problem.

Hi jodyCoolness, my goal here on the support forum is to look for immediate solutions or workarounds2013-02-15T11:31:39-08:00jscher2000https://support.mozilla.org/en-US/questions/939525?page=2#answer-408235

Hi jodyCoolness, my goal here on the support forum is to look for immediate solutions or workarounds, and it sounds as though you're stuck with PayPal's page as is.

It's possible this problem is a side effect of changes made in recent years to the way dialogs work. ??

I don't know whether Firefox should always delay or disregard a scheduled refresh or other navigation if it is waiting for user input on a dialog such as the OK/Cancel for an insecure form submission. It's hard to think of the scenarios where that might come up.

You probably should go ahead and file a bug for this in Bugzilla. I haven't searched to see whether anyone has filed it before.

I seriously doubt I could persuade paypal to change anything. Your analysis is appreciated, but I di2013-02-15T08:13:12-08:00jodyCoolnesshttps://support.mozilla.org/en-US/questions/939525?page=2#answer-408120

I seriously doubt I could persuade paypal to change anything. Your analysis is appreciated, but I distinctly see your position as biased against a mozilla solution, at least you haven't offered significant discussion concerning the split as I call it.

The paypal page is a single page. You may be right about how paypal has structured the page (I think the meta refresh tag is redundant and insignificant and as you point out will not fire), but I don't see a problem with the way other browsers process the response; it's always received as singular and monolithic.

I haven't looked into the bowels of the Joomla CMS request dispatch code, so I am not certain why responses from mozilla and safari for example, differ in how Joomla processes them.

Hi jodyCoolness, thank you for the expanded source. There is a meta refresh back to your site (witho2013-02-14T17:46:15-08:00jscher2000https://support.mozilla.org/en-US/questions/939525?page=2#answer-407985

Hi jodyCoolness, thank you for the expanded source. There is a meta refresh back to your site (without parameters) after 5 seconds, while a script is designed to submit the form 4 seconds after the DOM of the page is complete.

If there were no warning, the refresh would never run because the post will preempt the refresh. But there's no way as the website to prevent the warning from displaying.

I can't think of a good reason for the meta refresh to be in there -- if you want the form to submit in order to display all the data to the customer. There is a &amp;lt;noscript&amp;gt; blocktext informing the user to submit the form manually if scripting is disabled. Is there a way to get the meta refresh removed?

Here is the complete webpage my unsecured form appears on as generated by paypal:
&lt;!DOCTYPE HTML2013-02-14T15:47:52-08:00jodyCoolnesshttps://support.mozilla.org/en-US/questions/939525?page=2#answer-407952

Here is the complete webpage my unsecured form appears on as generated by paypal:

I'm not very technical, but thought my answer could possibly help someone. I made sure my version of2013-02-14T15:31:05-08:00MonikerTakerhttps://support.mozilla.org/en-US/questions/939525#answer-407947

I'm not very technical, but thought my answer could possibly help someone. I made sure my version of Firefox was up to date ( discovered this by accident)!, updated all of my Adobe Flash player settings, Adobe reader etc, and then reset my Firefox ( whilst still being able to keep my bookmarks and cookies) . https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems

I had this error message coming up ALL the time, even when innocently searching the web and now it's totally gone :)

P.S- I also made sure my internet security was updated .

As suspected there is no change with add ons disabled.
I don't know what the rationale was to get r2013-02-14T15:29:33-08:00jodyCoolnesshttps://support.mozilla.org/en-US/questions/939525#answer-407946

As suspected there is no change with add ons disabled.

I don't know what the rationale was to get rid of the option that provides control over this warning, but IMO it should not have been removed as an option.

I don't know why there are two sets of data being returned, or why a subset of the data is considered to be encrypted, which is probably the reason for the two sets of data.

I have googled this issue and see similar complaints about it for 4 years now. Isn't it about time you started listening to your users and fix this?

Firefox has been my favorite browser for many years, but I am hearing more and more feedback from experienced web developers that it is no longer a quality product, in terms of the number of bugs reported and the subsequent releases to fix them.

My post is probably the most detailed you are going to get that provides technical reasons for this aberrant behavior. It is easy enough to setup a scenario to duplicate this issue. Create a page on an unsecured server, say on blogger.com, with a link to make a payment with paypal. Setup a paypal sandbox so it doesn't cost you a thing. Paypal always uses secured URLs, even for its sandbox servers. You will see the same issue when you return from paypal as I do.

Hi jodyCoolness, I don't know why a GET is being sent, I can't see any reason for that.
In case on2013-02-14T14:59:52-08:00jscher2000https://support.mozilla.org/en-US/questions/939525#answer-407922

Hi jodyCoolness, I don't know why a GET is being sent, I can't see any reason for that.

In case one of your add-ons is interacting with the form, could you try Firefox's Safe Mode?

hello jodyCoolness, if you suspect this is a general issue with firefox, please file a bug at bugzil2013-02-14T14:56:34-08:00philipphttps://support.mozilla.org/en-US/questions/939525#answer-407920

hello jodyCoolness, if you suspect this is a general issue with firefox, please file a bug at bugzilla.mozilla.org. thanks!

I have a simple Joomla website with a shopping cart component. It contacts paypal using an https, en2013-02-14T14:51:45-08:00jodyCoolnesshttps://support.mozilla.org/en-US/questions/939525#answer-407916

I have a simple Joomla website with a shopping cart component. It contacts paypal using an https, encrypted URL to pass the shopping cart data.

Once the user pays for the items a link is provided by paypal to return to the sellers website. That link takes the user to another paypal page that has an automatic redirect to the seller's website, and a manual link to click if the automatic redirect fails.

As soon as the redirect fires or you click the manual link to return, you get the popup in Firefox (versions 16.0.2 &amp;amp; 18.0.2 for Mac OSX tested).

All of this behavior is dictated by Paypal. For some crazy reason, where other browsers respond with GET and POST data in one http handshake session, occurring in close proximity in time and where they are treated as a singular request to be processed, Mozilla splits the response going back to the seller website (containing order payment confirmation info) into separate GET and POST segments, with the GET segment going out right away and the POST being held back waiting for an answer to the warning prompt to continue or not. No other browsers exhibit this behavior.

As I suggested, all of the data should be returned at the same time, so it is processed as a singular response, not split into two.

The paypal pages reside on a secure, ssl encrypted server. The Joomla website is on an unsecured server, and that's where the response is being returned. The paypal page is encrypted, but contains a form of unencrypted POST data. This data is sent only after the user answers your security warning dialog. However, a GET response with a few data items is sent immediately when the timer fires or the link is clicked to submit the form. The GET data is sent back prematurely, before the user answers the dialog. Who cares if the GET portion is secured; I suspect that's why it is sent apart from the POST data. The form is presented below.

Hi jodyCoolness, I don't understand your scenario: you have two requests to your server, one GET and2013-02-14T12:00:19-08:00jscher2000https://support.mozilla.org/en-US/questions/939525#answer-407840

Hi jodyCoolness, I don't understand your scenario: you have two requests to your server, one GET and one POST, and either the POST is not using SSL (why?) or there is an intervening insecure request to an external server (can that be avoided)? Why is there a race condition between your two requests: can't you wait for the POST to complete before making your GET request?

helenrbeaupre,
Even if you blocked that warning message for mixed content, the situation would still2013-02-14T11:54:16-08:00finitarryhttps://support.mozilla.org/en-US/questions/939525#answer-407838

helenrbeaupre,

Even if you blocked that warning message for mixed content, the situation would still be there, and the icon in the address bar would still not be a secure padlock image. It is possible to block that message from about:config.

security.warn_viewing_mixed - setting to false blocks the warning

The main problem is how this condition is handled. When the browser detects this situation, it break2013-02-14T09:43:15-08:00jodyCoolnesshttps://support.mozilla.org/en-US/questions/939525#answer-407796

The main problem is how this condition is handled. When the browser detects this situation, it breaks it's response into two, with the encrypted portion sent but the unencrypted part delayed until the user answers the dialog. In my case the first response seen by the server is a GET, and the second is a POST containing the form data needed to process the REQUEST (both GET and POST) properly. By the time the sever sees the POST data it has already processed the GET data and deems the response invalid, since there was no POST data to go along with the GET data.

Unless Mozilla decides to restore the preference option to disable this warning (this warning has been irritating people for 4 years now, and there was an option to disable the warning in older versions of Firefox) this bug should be fixed by holding the entire response (POST and GET data, encrypted or not) until the user answers the warning dialog to continue.

When the entire response is sent together it can be properly processed, just like other browsers do. This is a real bug in Firefox.

Appreciate your suggestions, but this is sounding too complicated for me--especially since I just re2012-11-12T08:23:27-08:00helenrbeauprehttps://support.mozilla.org/en-US/questions/939525#answer-380700

Appreciate your suggestions, but this is sounding too complicated for me--especially since I just read Google Chrome is the most secure browser. I may just start using Chrome. Thanks very much anyway!

You could consider using the NoScript extension as an alternate way to control which content loads i2012-11-12T08:05:43-08:00jscher2000https://support.mozilla.org/en-US/questions/939525#answer-380693

You could consider using the NoScript extension as an alternate way to control which content loads into a page. When you first start using NoScript, you will find yourself visiting its menu frequently to unblock sites that you want to be able to run scripts. Over time, as you build your list of approved sites, you won't need to use the menu as often.

I like using Mozilla Firefox for Facebook because it has spell check. Are you saying I cannot use Mo2012-11-11T20:17:29-08:00helenrbeauprehttps://support.mozilla.org/en-US/questions/939525#answer-380657

I like using Mozilla Firefox for Facebook because it has spell check. Are you saying I cannot use Mozilla Firefox for Facebook or Yahoo email? This doesn't seem right to me! Also, I DO get this error message when trying to enter my gmail. Currently, I am using Avira security software. I'm about to stop using Mozilla Firefox because of this error message. Any other solutions or advice is greatly appreciated. Should I try re-loading Firefox?

You should not be seeing this alert on Gmail or other (premium) e-mail and bank sites.
Facebook can 2012-11-11T19:24:40-08:00cor-elhttps://support.mozilla.org/en-US/questions/939525#answer-380646

You should not be seeing this alert on Gmail or other (premium) e-mail and bank sites.
Facebook can force a secure connection via its settings, but may not work properly with all its applications (games) if you do.
Large sites like Yahoo and Facebook are usually not designed to work properly with a secure connection as they may have ads from a lot of sources, so you may have to access them via a normal http connection.

Unlike an earlier user, I am not using youtube when I get this message. I am trying to get into my g2012-11-11T19:16:29-08:00helenrbeauprehttps://support.mozilla.org/en-US/questions/939525#answer-380645

Unlike an earlier user, I am not using youtube when I get this message. I am trying to get into my gmail, yahoo mail and facebook--not sites I want to compromise my security with! I would really really appreciate help figuring out this annoying pop-up. Thanks for any suggestions.

You can either disable that error message (there should be a check-box on the pop-up alert and only 2012-11-11T19:10:14-08:00cor-elhttps://support.mozilla.org/en-US/questions/939525#answer-380643

You can either disable that error message (there should be a check-box on the pop-up alert and only leave the basic globe instead of the padlock on the location bar) or use a normal http connection until YouTube has sorted this out and only serves secure content if you use a secure https connection.

Unfortunately, this ad blocker only worked for a couple of times--then I got the error message again2012-11-11T18:01:07-08:00helenrbeauprehttps://support.mozilla.org/en-US/questions/939525#answer-380631

Unfortunately, this ad blocker only worked for a couple of times--then I got the error message again. It really does prevent me from using Mozilla Firefox comfortably. Any other suggestions?

I picked the most popular Firefox ad-blocker (Adblock Plus) and didn't get this annoying error messa2012-10-16T11:07:33-07:00helenrbeauprehttps://support.mozilla.org/en-US/questions/939525#answer-375021

I picked the most popular Firefox ad-blocker (Adblock Plus) and didn't get this annoying error message! Thank you so very much for helping me with this--it has been a nuisance for months and prevented me from using firefox comfortably--despite many other great features!

Hi helenrbeaupre, my guess would be that most insecure content issues in Gmail and Facebook are caus2012-10-16T10:06:01-07:00jscher2000https://support.mozilla.org/en-US/questions/939525#answer-374989

Hi helenrbeaupre, my guess would be that most insecure content issues in Gmail and Facebook are caused by advertising. You might test an ad blocking add-on and see whether that resolves the issue. I haven't used any of them myself, so can't make a particular recommendation.

I get this when I go into my gmail or facebook account--not exactly reassuring! As a result, I have2012-10-16T08:49:56-07:00helenrbeauprehttps://support.mozilla.org/en-US/questions/939525#answer-374981

I get this when I go into my gmail or facebook account--not exactly reassuring! As a result, I have NOT used Mozilla firefox for these applications even though I would like to--especially since firefox has automatic spelling corrections along the way. Any suggestions on how I can prevent this message from coming up?

If it is YouTube, why worry about it? If you were buying something or doing banking, then do worry 2012-10-15T10:07:24-07:00finitarryhttps://support.mozilla.org/en-US/questions/939525#answer-374751

If it is YouTube, why worry about it? If you were buying something or doing banking, then do worry about it.

In a future version, Firefox will let you actually block the insecure content from loading. Currentl2012-10-14T16:13:18-07:00jscher2000https://support.mozilla.org/en-US/questions/939525#answer-374583

In a future version, Firefox will let you actually block the insecure content from loading. Currently, you only get a warning.